Cloud computing is a technology that provides cost-efficient, on-demand computing and storage resources to end users. Key components of a cloud include virtualized software, infrastructure and computing platforms. Devices having limited capabilities, such as for example mobile phones, may benefit from using cloud computing to get access to external resources.
It is believed that cloud computing is not presently receiving a wide acceptance because of its lack of adequate security features. In fact, a user cannot currently be certain whether or not his data can be correctly safeguarded within the cloud.
Two common security or encryption themes exist, namely transport security and object security. While transport security protects data during transport between hosts, object security handles information as objects and also encrypts them as objects. Object security implies that information is encrypted also during storage. As a result, in principle, no additional protection is needed during transport of an object already protected as such. However, to process or consume data, for instance by rendering of an audio file, the object needs to be decrypted at some point, preferably in a secure environment.
Both of these security concepts suffer from important drawbacks. Transport security is provided by existing protocols that enable mutual authentication of nodes and then encryption of data packets exchanged therebetween. This concept can only apply between a data user and an entry point, or gateway, into a cloud. Transport security is not suitable when cloud computing is used and data is left unprotected within the cloud. On the hand, object security, which applies digital signatures and encryption to data objects, appears much more secure. However, operators of a network connecting end-users towards the entry point of the cloud may be subject to legal requirements such as legally authorized intercept, also called lawful intercept. Such requirements impose that network operators must be capable of providing law enforcement agencies with access to unencrypted content.
In line with the foregoing, it has been proposed to add a security gateway at an ingress point of a cloud computing network, the security gateway being part of a home network for a mobile user. The mobile user content can be encrypted at the gateway, before entering the cloud, by use of a session key. However, because such a session key can only be valid for the duration of a session, this solution requires that a session between the mobile user and the gateway be maintained for the lifetime of the user content. Moreover, this solution may be insufficient in a roaming scenario. When the mobile user is connected through a foreign network, or visited network, transport security may not be guaranteed between the visited network and the user's home network. The mobile user content may be readable and accessible while transiting through the visited network operator.
Additionally, existing solutions may apply a same key to all content accessing the cloud through the gateway, regardless of which end user that actually generates or receives the content. This cannot be acceptable in a cloud computing scenario in which content from different users should be treated independently.